Brazil's Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law, is a comprehensive data protection regulation that went into effect in September 2020. Modelled after the European Union's General Data Protection Regulation (GDPR), the LGPD establishes a legal framework for the use, protection, and transfer of personal data in Brazil, affecting businesses and organizations both within and outside the country that process personal data of individuals in Brazil.
The LGPD applies to any personal data processing activity that either occurs within Brazil, targets individuals in Brazil by offering goods or services, or involves data collected within Brazil. It defines personal data broadly, covering information related to an identified or identifiable natural person, and introduces the concept of sensitive personal data, which includes data on racial or ethnic origin, religious belief, political opinion, health or sexual life, genetic or biometric data, among others, requiring higher levels of protection.
Under the LGPD, data subjects are granted extensive rights, including the right to access their data, correct incomplete or inaccurate data, anonymize or delete unnecessary or excessive data, port data to another service or product provider, delete data processed with consent, and obtain information about entities with which their data has been shared. Additionally, the law mandates the explicit consent for data processing, except in specific cases provided by the law, and introduces the principles of purpose limitation, data minimization, and transparency.